Re: layer2 ipfw 'fwd' support
On Thu, Oct 7, 2010 at 10:23 PM, Eduardo Meyer dudu.me...@gmail.com wrote: On Thu, Oct 7, 2010 at 12:19 AM, Julian Elischer jul...@freebsd.org wrote: On 10/6/10 12:06 PM, Eduardo Meyer wrote: On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischerjul...@freebsd.org wrote: On 10/5/10 12:56 PM, Eduardo Meyer wrote: On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischerjul...@freebsd.org wrote: On 10/4/10 12:18 PM, Eduardo Meyer wrote: On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischerjul...@freebsd.org wrote: On 10/4/10 10:16 AM, Eduardo Meyer wrote: On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch jamesbrandongo...@gmail.com wrote: On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyerdudu.me...@gmail.com wrote: Hello, In the past I have used this patch by Luigi Rizzo, which helped me well. http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html I tried with a friend to port it to -STABLE, but we were not able to find out what has replaced mt_tag. Also on ip_input.c we dirty hacked to following piece of code: #ifdef IPFIREWALL_FORWARD if (m-m_flags M_FASTFWD_OURS) { m-m_flags= ~M_FASTFWD_OURS; goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE */ } if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { /* * Directly ship the packet on. This allows forwarding * packets originally destined to us to some other directly * connected host. */ ip_forward(m, dchg); return; } #endif /* IPFIREWALL_FORWARD */ And this is something we are not sure if its correct. So my very obvious question is: Does anyone has a recent version of this patch to share? Can anyone familiar with ipfw source code help me with that? I'm certainly not an expert, but I wonder if the patch your referring to is still required? Can you provide more detail about your particular application? -Brandon Yes, its still required since ipfw fwd ignores layer2 frames. The application is the very same: squid. I mean, Lusca in fact (squid fork). Thank you for your interest. Cisco/Ironport have a patch that does this.. I had permission to bring it back when I worked there but never got it committed. Adrian, was it part of the set I gave you? Hello Elischer, Was this made public? I hope Chadd has some good news. In fact I tent to use with Lusca in tproxy mode. I bet this is the only missing piece of software. I just dug up my old changes. do you want to fwd from a bridge? or what? (it makes a difference what patches are needed) If you want to fwd from a bridge to make a transparent layer 2 proxy, this may help.. Here are parts of it that may be relevent: these are old (2007 I think) but may be of use still. adrian had the full set at ==quote adrian= The stuff is in p4 now, but I haven't tested it out at all. //depo/projects/adrian_spoof_clientip/ I -think-. == end quote=== Index: net/if_bridge.c === RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.107 diff -u -r1.107 if_bridge.c --- net/if_bridge.c 6 Nov 2007 23:01:42 - 1.107 +++ net/if_bridge.c 28 Nov 2007 06:59:10 - @@ -2908,6 +2908,11 @@ struct ip *ip; struct llc llc1; u_int16_t ether_type; + int is_ip = 0; +#ifdef IPFIREWALL_FORWARD + struct m_tag *fwd_tag; +#endif + snap = 0; error = -1; /* Default error if not error == 0 */ @@ -2967,6 +2972,7 @@ #ifdef INET6 case ETHERTYPE_IPV6: #endif /* INET6 */ + is_ip = 1; break; default: /* @@ -3024,6 +3030,30 @@ if (*mp == NULL) return (error); + +#ifdef IPFIREWALL_FORWARD + /* + * Did the firewall want to forward it somewhere? + * If so, let the ip stack handle it. + */ + if (i == 0 args.next_hop != NULL + is_ip /* src != NULL */) { + + fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, + sizeof(struct sockaddr_in), M_NOWAIT); + if (fwd_tag == NULL) + goto drop; + bcopy(args.next_hop, (fwd_tag+1), + sizeof(struct sockaddr_in)); + m_tag_prepend(*mp, fwd_tag); + + if (in_localip(args.next_hop-sin_addr)) + (*mp)-m_flags |= M_FASTFWD_OURS; + ether_demux(src, *mp); + return (NULL); + } +#endif
Re: layer2 ipfw 'fwd' support
On Thu, Oct 7, 2010 at 12:19 AM, Julian Elischer jul...@freebsd.org wrote: On 10/6/10 12:06 PM, Eduardo Meyer wrote: On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischerjul...@freebsd.org wrote: On 10/5/10 12:56 PM, Eduardo Meyer wrote: On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischerjul...@freebsd.org wrote: On 10/4/10 12:18 PM, Eduardo Meyer wrote: On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischerjul...@freebsd.org wrote: On 10/4/10 10:16 AM, Eduardo Meyer wrote: On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch jamesbrandongo...@gmail.com wrote: On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyerdudu.me...@gmail.com wrote: Hello, In the past I have used this patch by Luigi Rizzo, which helped me well. http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html I tried with a friend to port it to -STABLE, but we were not able to find out what has replaced mt_tag. Also on ip_input.c we dirty hacked to following piece of code: #ifdef IPFIREWALL_FORWARD if (m-m_flags M_FASTFWD_OURS) { m-m_flags= ~M_FASTFWD_OURS; goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE */ } if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { /* * Directly ship the packet on. This allows forwarding * packets originally destined to us to some other directly * connected host. */ ip_forward(m, dchg); return; } #endif /* IPFIREWALL_FORWARD */ And this is something we are not sure if its correct. So my very obvious question is: Does anyone has a recent version of this patch to share? Can anyone familiar with ipfw source code help me with that? I'm certainly not an expert, but I wonder if the patch your referring to is still required? Can you provide more detail about your particular application? -Brandon Yes, its still required since ipfw fwd ignores layer2 frames. The application is the very same: squid. I mean, Lusca in fact (squid fork). Thank you for your interest. Cisco/Ironport have a patch that does this.. I had permission to bring it back when I worked there but never got it committed. Adrian, was it part of the set I gave you? Hello Elischer, Was this made public? I hope Chadd has some good news. In fact I tent to use with Lusca in tproxy mode. I bet this is the only missing piece of software. I just dug up my old changes. do you want to fwd from a bridge? or what? (it makes a difference what patches are needed) If you want to fwd from a bridge to make a transparent layer 2 proxy, this may help.. Here are parts of it that may be relevent: these are old (2007 I think) but may be of use still. adrian had the full set at ==quote adrian= The stuff is in p4 now, but I haven't tested it out at all. //depo/projects/adrian_spoof_clientip/ I -think-. == end quote=== Index: net/if_bridge.c === RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.107 diff -u -r1.107 if_bridge.c --- net/if_bridge.c 6 Nov 2007 23:01:42 - 1.107 +++ net/if_bridge.c 28 Nov 2007 06:59:10 - @@ -2908,6 +2908,11 @@ struct ip *ip; struct llc llc1; u_int16_t ether_type; + int is_ip = 0; +#ifdef IPFIREWALL_FORWARD + struct m_tag *fwd_tag; +#endif + snap = 0; error = -1; /* Default error if not error == 0 */ @@ -2967,6 +2972,7 @@ #ifdef INET6 case ETHERTYPE_IPV6: #endif /* INET6 */ + is_ip = 1; break; default: /* @@ -3024,6 +3030,30 @@ if (*mp == NULL) return (error); + +#ifdef IPFIREWALL_FORWARD + /* + * Did the firewall want to forward it somewhere? + * If so, let the ip stack handle it. + */ + if (i == 0 args.next_hop != NULL + is_ip /* src != NULL */) { + + fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, + sizeof(struct sockaddr_in), M_NOWAIT); + if (fwd_tag == NULL) + goto drop; + bcopy(args.next_hop, (fwd_tag+1), + sizeof(struct sockaddr_in)); + m_tag_prepend(*mp, fwd_tag); + + if (in_localip(args.next_hop-sin_addr)) + (*mp)-m_flags |= M_FASTFWD_OURS; + ether_demux(src, *mp); + return (NULL); + } +#endif + if (DUMMYNET_LOADED (i == IP_FW_DUMMYNET
Re: layer2 ipfw 'fwd' support
On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer jul...@freebsd.org wrote: On 10/4/10 12:18 PM, Eduardo Meyer wrote: On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischerjul...@freebsd.org wrote: On 10/4/10 10:16 AM, Eduardo Meyer wrote: On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch jamesbrandongo...@gmail.com wrote: On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyerdudu.me...@gmail.com wrote: Hello, In the past I have used this patch by Luigi Rizzo, which helped me well. http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html I tried with a friend to port it to -STABLE, but we were not able to find out what has replaced mt_tag. Also on ip_input.c we dirty hacked to following piece of code: #ifdef IPFIREWALL_FORWARD if (m-m_flags M_FASTFWD_OURS) { m-m_flags= ~M_FASTFWD_OURS; goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE */ } if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { /* * Directly ship the packet on. This allows forwarding * packets originally destined to us to some other directly * connected host. */ ip_forward(m, dchg); return; } #endif /* IPFIREWALL_FORWARD */ And this is something we are not sure if its correct. So my very obvious question is: Does anyone has a recent version of this patch to share? Can anyone familiar with ipfw source code help me with that? I'm certainly not an expert, but I wonder if the patch your referring to is still required? Can you provide more detail about your particular application? -Brandon Yes, its still required since ipfw fwd ignores layer2 frames. The application is the very same: squid. I mean, Lusca in fact (squid fork). Thank you for your interest. Cisco/Ironport have a patch that does this.. I had permission to bring it back when I worked there but never got it committed. Adrian, was it part of the set I gave you? Hello Elischer, Was this made public? I hope Chadd has some good news. In fact I tent to use with Lusca in tproxy mode. I bet this is the only missing piece of software. I just dug up my old changes. do you want to fwd from a bridge? or what? (it makes a difference what patches are needed) If you want to fwd from a bridge to make a transparent layer 2 proxy, this may help.. Here are parts of it that may be relevent: these are old (2007 I think) but may be of use still. adrian had the full set at ==quote adrian= The stuff is in p4 now, but I haven't tested it out at all. //depo/projects/adrian_spoof_clientip/ I -think-. == end quote=== Index: net/if_bridge.c === RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.107 diff -u -r1.107 if_bridge.c --- net/if_bridge.c 6 Nov 2007 23:01:42 - 1.107 +++ net/if_bridge.c 28 Nov 2007 06:59:10 - @@ -2908,6 +2908,11 @@ struct ip *ip; struct llc llc1; u_int16_t ether_type; + int is_ip = 0; +#ifdef IPFIREWALL_FORWARD + struct m_tag *fwd_tag; +#endif + snap = 0; error = -1; /* Default error if not error == 0 */ @@ -2967,6 +2972,7 @@ #ifdef INET6 case ETHERTYPE_IPV6: #endif /* INET6 */ + is_ip = 1; break; default: /* @@ -3024,6 +3030,30 @@ if (*mp == NULL) return (error); + +#ifdef IPFIREWALL_FORWARD + /* + * Did the firewall want to forward it somewhere? + * If so, let the ip stack handle it. + */ + if (i == 0 args.next_hop != NULL + is_ip /* src != NULL */) { + + fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, + sizeof(struct sockaddr_in), M_NOWAIT); + if (fwd_tag == NULL) + goto drop; + bcopy(args.next_hop, (fwd_tag+1), + sizeof(struct sockaddr_in)); + m_tag_prepend(*mp, fwd_tag); + + if (in_localip(args.next_hop-sin_addr)) + (*mp)-m_flags |= M_FASTFWD_OURS; + ether_demux(src, *mp); + return (NULL); + } +#endif + if (DUMMYNET_LOADED (i == IP_FW_DUMMYNET)) { == Index: netinet/ip_fw2.c === RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v retrieving revision 1.178 diff -u -r1.178 ip_fw2.c --- netinet/ip_fw2.c 28 Oct 2007 17:12:47 -
Re: layer2 ipfw 'fwd' support
On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch jamesbrandongo...@gmail.com wrote: On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer dudu.me...@gmail.com wrote: Hello, In the past I have used this patch by Luigi Rizzo, which helped me well. http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html I tried with a friend to port it to -STABLE, but we were not able to find out what has replaced mt_tag. Also on ip_input.c we dirty hacked to following piece of code: #ifdef IPFIREWALL_FORWARD if (m-m_flags M_FASTFWD_OURS) { m-m_flags = ~M_FASTFWD_OURS; goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE */ } if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { /* * Directly ship the packet on. This allows forwarding * packets originally destined to us to some other directly * connected host. */ ip_forward(m, dchg); return; } #endif /* IPFIREWALL_FORWARD */ And this is something we are not sure if its correct. So my very obvious question is: Does anyone has a recent version of this patch to share? Can anyone familiar with ipfw source code help me with that? I'm certainly not an expert, but I wonder if the patch your referring to is still required? Can you provide more detail about your particular application? -Brandon Yes, its still required since ipfw fwd ignores layer2 frames. The application is the very same: squid. I mean, Lusca in fact (squid fork). Thank you for your interest. -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: All I have is one packet!
On 8/8/07, Vadim Goncharov [EMAIL PROTECTED] wrote: 06.08.07 @ 23:05 Eduardo Meyer wrote: I have tried, for many weeks, ng_tag to tag packets for ipfw filtering. I could make it work fine. However, I have one problem. I want to make a state that will match any packet, on any protocol, between the peers. Why? Because all I have, is one packet. And this packet however, wont always be in the same transport protocol. For example, I can identify session initialization on TCP packets, but once initialized, all communication between peers happen via UDP. I know such a thing dont exist in ipfw. However, I would like to know if someone can suggest changes to the code that would do this. Would also be great if I could have a sysctl OID to tune state-timing of this unusual behavior, differently from the existing sysctl mibs on dyn stuff on ipfw. Every suggestion on a feature like that, would be appreciated. Yes, dynamic rules in ipfw are not intended for supporting state created in the middle of the session, wuth the default sysctl settings it will be kept for 1 second (which, however, is enough for shaping of fast transfers). I think, precise controlling of dynamic rules from both userland and kernel should be added to ipfw, to modify existing rules on the fly (or even more features, like pfsync). As a hackish dirty workaround, may be it should be only one keyword, something like keep-state-middle, to create normal dynamic rule without initial SYNs. But you've said about even more complex behaviour, like init on TCP, continue with UDP. That's difficult to implement in kernel, and may be even not suitable for ipfw. Currently (I think), you can try to emulate this behaviour by divert'ing tagged by ng_tag packet to userland program, like snort_inline (from ports collection) with needed scripting, which will trigger adding proper rules to firewall (you should also care about expiring that connection on SYNs and RSTs, though). That's exactly the point. However, from a simplistic and probably ignorant point of view on this matter, like mine, I believed it to be in fact a much more simple state, which would only compare IP addresses (src-dst) for the match, so I could just ipfw add X allow { tcp or udp } from any to any keep-iponly-state tagged Y It would be helpfull with many protocols which in fact use a transport proto (like TCP) to do actual session initialization while using another transport proto (UDP, DDP, whatever) for the real traffic; many things do this nowadays; Would such a feature be possible? -- === Eduardo Meyer pessoal: [EMAIL PROTECTED] profissional: [EMAIL PROTECTED] ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
All I have is one packet!
Hello ipfw users and hackers. I have tried, for many weeks, ng_tag to tag packets for ipfw filtering. I could make it work fine. However, I have one problem. I want to make a state that will match any packet, on any protocol, between the peers. Why? Because all I have, is one packet. And this packet however, wont always be in the same transport protocol. For example, I can identify session initialization on TCP packets, but once initialized, all communication between peers happen via UDP. I know such a thing dont exist in ipfw. However, I would like to know if someone can suggest changes to the code that would do this. Would also be great if I could have a sysctl OID to tune state-timing of this unusual behavior, differently from the existing sysctl mibs on dyn stuff on ipfw. Every suggestion on a feature like that, would be appreciated. -- === Eduardo Meyer pessoal: [EMAIL PROTECTED] profissional: [EMAIL PROTECTED] ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw tag and ng_tag
Hello, Finally with -BETA2 I can try ng_tag and ipfw tag. I have a certain unusual need to filter DNS queries which return NXDomain. Before filtering, I will make some cacti graphs. So I need to count packets with NXDomain expression on Layer 7. With tcpdump -X I can see that NXDomain alwas shows up perfectly, so this is the kind of L7 pattern which will be safe to filter. With hexdump(1) I found out the hex sequence for NXDomain expression to be: 4e 58 44 6f 6d 61 69 6e 0a I have the needed kernel modules loaded. What should I do next? I know I am supposed to create a ng_bpf pattern, similar to PATTERN=(ether[40:4]=0x134e5844 ether[44:4]=0x6f6d6169 ether[48:4]=0x6e0a) I did it, and execute it in the following script: PATTERN=(ether[40:4]=0x134e5844 ether[44:4]=0x6f6d6169 ether[48:4]=0x6e0a) NODEPATH=my_node: INHOOK=hook1 MATCHHOOK=hook2 NOTMATCHHOOK=hook3 cat /tmp/bpf.awk xxENDxx { if (!init) { printf bpf_prog_len=%d bpf_prog=[, \$1; init=1; } else { printf { code=%d jt=%d jf=%d k=%d }, \$1, \$2, \$3, \$4; } } END { print ] } xxENDxx BPFPROG=`tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk` ngctl msg ${NODEPATH} setprogram { thisHook=\${INHOOK}\ \ ifMatch=\${MATCHHOOK}\ \ ifNotMatch=\${NOTMATCHHOOK}\ \ ${BPFPROG} } } BUT, Here I get my first problem. Script returns: ngctl: send msg: No such file or directory I printed the full commands that returns the error, it is: ngctl msg setprogram { thisHook= ifMatch= ifNotMatch= bpf_prog_len=8 bpf_prog=[ { code=32 jt=0 jf=0 k=40 } { code=21 jt=0 jf=5 k=323901508 } { code=32 jt=0 jf=0 k=44 } { code=21 jt=0 jf=3 k=1869439337 } { code=32 jt=0 jf=0 k=48 } { code=21 jt=0 jf=1 k=28170 } { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0 k=0 } ] } } Running tcpdump -s 8192 -ddd $PATTERN manually I get: 8 32 0 0 40 21 0 5 323901508 32 0 0 44 21 0 3 1869439337 32 0 0 48 21 0 1 28170 6 0 0 8192 6 0 0 0 Which looks that the ngctl data (code, kt, jf and k) are correct. But the command returns that error for some reason. The script was taken from ng_blf(4) man page. I am all new to this netgraph thing, and I couldnt even get to the ng_tag phase (stopped in ng_bpf). I would like to have your help to work it out, please. Thank you. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]